CLAIMS 

What is claimed is: 

.1. A method, comprising: 

when a packet is to be sent over a secured connection, 
determining if the secured connection is set up; 

when the secured connection is not set up, storing the 
packet; and 

after storing the packet, when the secure connection is 
set up, retrieving the packet and transmitting the packet over the 
secured connection. 

2. The method of claim 1, wherein the secured connection is 
an internet protocol security protocol connection. 

3. The method of claim 1, wherein the secured connection is 
set up when a security association associated with the secured 
connection is set up. 

4. The method of claim 1, wherein when the secured 
connection is not set up, setting up the secured connection. 

5. The method of claim 4, wherein setting up the secured 
connection includes negotiating a security association associated 
with the secure connection. 

6. The method of claim 5, wherein negotiation the security 
association includes negotiating the security association using 
the internet key exchange protocol. 

7. A system, comprising: 

a networking subsystem; 
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a security subsystem; 

a negotiation subsystem; and 

a packet store; 

wherein when the networking subsystem generates a packet 
that is to be transmitted over a secure connection, the networking 
subsystem determines if the secure connection is set up; 

when the secure connection is set up, the networking 
subsystem signals the negotiation subsystem to set up the secure 
connection and stores the packet in the packet store; and 

after storing the packet, the security subsystem 
periodically determines whether the secure connection is set up 
and, when the security subsystem determines that the secure 
connection is set up, the packet is retrieved from the packet 
store and the security subsystem transforms the packet and 
transmits the packet over the secure connection. 

8. The system of claim 7, wherein the networking subsystem 
stores the packet in a queue. 

9. The system of claim 7, wherein the networking subsystem, 
before storing the packet, checks whether storing the packet would 
violate a constraint related to the storage of the packet. 

10. The system of claim 9, wherein when the networking 
subsystem determines that storing the packet would violate a 
constraint related to the storage of the packet, the networking 
subsystem does not store the packet and wherein when the 
networking subsystem determines that storing the packet would not 
violate a constraint related to the storage of the packet, the 
networking subsystem stores the packet. 
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11. The system of claim 9, wherein the constraint related' to 
the storage of the packet includes a maximum package storage time 
that specifies how long a packet is to be stored before being 
dropped. 

12. The system of claim 9, wherein the constraint related to 
the storage of the packet includes a maximum packet limit that 
specifies the maximum number of packets that can be stored at one 
time . 

13. The system of claim 9, wherein the constraint related to 
the storage of the packet includes a maximum amount of system 
memory for storage of packets. 

14. The system of claim 7, further comprising a timer that 
determines when the security subsystem periodically determines 
whether the secure association exists for the internet protocol 
security protocol connection. 

15. A system, comprising: 

a networking subsystem; 

an internet protocol security protocol subsystem; 
an internet key exchange subsystem; and 
a packet store; 

wherein when the networking subsystem generates a packet 
that is to be transmitted over an internet protocol security 
protocol connection, the networking subsystem determines if a 
security association associated with the internet protocol 
security protocol connection exists; 

when the security association does not exist, the 
networking subsystem signals the internet key exchange subsystem 
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to negotiate the security association and stores the packet in the 
packet store; and 

after storing the packet, the internet protocol security 
protocol subsystem periodically determines whether the security 
association exists for the internet protocol security protocol 
connection and, when the internet protocol security protocol 
subsystem determines that the security association exists for the 
internet protocol security protocol connection, the packet is 
retrieved from the packet store and the internet protocol security 
protocol subsystem transforms the packet and transmits the packet 
over the internet protocol security protocol connection in 
accordance with the internet protocol security protocol. 

16. The system of claim 15, wherein the internet protocol 
security protocol subsystem determines whether the security 
association exists for the internet protocol security protocol 
connection after successive periodic intervals elapse. 

17. The system of claim 16, wherein each periodic interval 
is 500 milliseconds long. 

18. A programmable-processor readable medium on which 
program instructions are stored, wherein the program instructions 
are operable to cause a programmable processor to: 

when a packet is to be sent over a secured connection, 
determine if the secured connection is set up; 

when the secured connection is not set up, store the 
packet; and 

after storing the packet, when the secure connection is 
set up, retrieve the packet and transmitting the packet over the 
secured connection. 



Attorney Docket No. 100.615US01 



28 



19. A cable modem termination system, comprising: 

a radio frequency interface that, when the cable modem 
termination system is coupled to a hybrid-fiber coaxial cable 
network, communicates with the hybrid-fiber coaxial cable network; 

an second interface that, when the cable modem 
termination system is coupled to an upstream network, communicates 
with the upstream network; 

a programmable processor coupled to the radio frequency 
interface and the second interface; and 

memory coupled to the programmable processor, wherein 
program instructions are stored in the memory that, when executed 
on the programmable processor, cause the cable modem termination 
system to: 

when a packet is to be sent over an internet 
protocol security protocol connection, determine if a security 
association associated with the internet protocol security 
protocol connection exists; 

when the security association does not exist, store 
the packet in a packet store; and 

after the packet is stored, periodically determine 
whether the security association exists for the internet protocol 
security protocol connection and, when the security association 
exists for the internet protocol security protocol connection, 
retrieve the packet from the packet store and transmit the packet 
over the internet protocol security protocol connection. 

20. The cable modem termination system of claim 19, wherein 
the program instructions, when executed by the programmable 
processor, cause the cable modem termination system to, when the 
packet is to be sent over the internet protocol security protocol 
connection and the security association does not exist, negotiate 
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with a destination node for which the packet is intended to set' up 
the security association, 

21. The cable modem termination system of claim 19, wherein 
the second interface includes a backplane interface of an access 
switch that, when the cable modem termination system is coupled to 
a backplane, communicates with the backplane. 

22. The cable modem termination system of claim 21, wherein 
the second interface communicates with the upstream network over 
the backplane. 

23. The cable modem termination system of claim 21, wherein 
the second interface communicates with a second cable modem 
termination system over the backplane. 

24. A network interface module, comprising: 

an external network interface that, when the network 
interface module is coupled to an external network, couples the 
network interface module to the external network; 

a backplane interface that, when the network interface 
module is coupled to a backplane, communicates with the backplane; 

a programmable processor coupled to the external network 
interface and the backplane interface; and 

memory coupled to the programmable processor, wherein 
program instructions are stored in the memory that, when executed 
on the programmable processor, cause the network interface module 
to: 

when a packet is to be sent over an internet 
protocol security protocol connection, determine if a security 
association associated with the internet protocol security 
protocol connection exists; 
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when the security association does not exist, store 
the packet in a packet store; and 

after the packet is stored, periodically determine 
whether the security association exists for the internet protocol 
security protocol connection and, when the security association 
exists for the internet protocol security protocol connection, 
retrieve the packet from the packet store and transmit the packet 
over the internet protocol security protocol connection. 

25. The network interface module of claim 24, wherein the 
program instructions, when executed by the programmable processor, 
cause the network interface module to, when the packet is to be 
sent over the internet protocol security protocol connection and 
the security association does not exist, negotiate with a 
destination node for which the packet is intended to set up the 
security association. 

26. The network interface module of claim 25, wherein the 
program instructions, when executed by the programmable processor, 
cause the network interface module to, when the packet is to be 
sent over the internet protocol security protocol connection and 
the security association does not exist, negotiate with the 
destination node for which the packet is intended to set up the 
security association using an internet key exchange protocol. 

27. The network interface module of claim 24, wherein the 
external network includes a wide area network. 

28. The network interface module of claim 27, wherein the 
wide area network includes the Internet. 
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